On the (In)Feasibility of Attribute Inference Attacks on Machine Learning Models

Benjamin Zi Hao Zhao,Aviral Agrawal,Catisha Coburn,Hassan Jameel Asghar,Raghav Bhaskar,Mohamed Ali Kaafar,Darren Webb,Peter Dickinson
DOI: https://doi.org/10.48550/arXiv.2103.07101
2021-03-12
Abstract:With an increase in low-cost machine learning APIs, advanced machine learning models may be trained on private datasets and monetized by providing them as a service. However, privacy researchers have demonstrated that these models may leak information about records in the training dataset via membership inference attacks. In this paper, we take a closer look at another inference attack reported in literature, called attribute inference, whereby an attacker tries to infer missing attributes of a partially known record used in the training dataset by accessing the machine learning model as an API. We show that even if a classification model succumbs to membership inference attacks, it is unlikely to be susceptible to attribute inference attacks. We demonstrate that this is because membership inference attacks fail to distinguish a member from a nearby non-member. We call the ability of an attacker to distinguish the two (similar) vectors as strong membership inference. We show that membership inference attacks cannot infer membership in this strong setting, and hence inferring attributes is infeasible. However, under a relaxed notion of attribute inference, called approximate attribute inference, we show that it is possible to infer attributes close to the true attributes. We verify our results on three publicly available datasets, five membership, and three attribute inference attacks reported in literature.
Machine Learning,Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is to explore the feasibility of Attribute Inference Attacks (AI) in machine - learning models. Specifically, the author studies whether an attacker can use some known records to infer the missing attributes in the training dataset when accessing the machine - learning model through an API. ### Research Background and Problem Description With the popularization of low - cost machine - learning APIs, many companies can make a profit by providing trained machine - learning models as services. However, privacy researchers have found that these models may leak information in the training dataset through Membership Inference Attacks (MI). MI attacks refer to the situation where an attacker infers whether an input belongs to the training dataset by observing the model's response to a specific input. On this basis, this paper focuses on another type of inference attack - Attribute Inference Attacks (AI). In AI attacks, an attacker tries to infer the missing attributes corresponding to some known features of a record in the training dataset by accessing the machine - learning model. ### Main Research Questions 1. **Effectiveness of AI Attacks**: This paper explores whether a classification model that is vulnerable to MI attacks is also vulnerable to AI attacks. 2. **Role of Strong Membership Inference (SMI)**: The author proposes and defines SMI, that is, an attacker can distinguish members in the training dataset from nearby non - members. Research shows that successful AI attacks depend on successful SMI attacks. 3. **Possibility of Approximate Attribute Inference (AAI)**: Although strict AI attacks are difficult to succeed, in some cases, an attacker can infer values close to the real attributes. ### Research Conclusions - **Relationship between MI and AI**: Experimental results show that even if a model is vulnerable to MI attacks, it is not necessarily vulnerable to AI attacks. This is because MI attacks cannot distinguish members from nearby non - members, that is, they cannot achieve Strong Membership Inference (SMI). - **Possibility of AAI Success**: Although strict AI attacks are difficult to succeed, Approximate Attribute Inference (AAI) is feasible in some cases, especially when the model is over - fitted. ### Formula Representation Some key concepts and formulas involved in the paper are as follows: - **Distance Metric**: Used to measure the distance between two vectors in the feature space, such as Hamming distance \(d_H\) and Manhattan distance \(d_M\). \[ d_H(x, x')=\sum_{i = 1}^{m}\mathbb{1}(x_i\neq x'_i) \] \[ d_M(x, x')=\sum_{i = 1}^{m}|x_i - x'_i| \] - **Membership Inference Advantage**: \[ \text{Adv}_{\text{MI}}(A, h, n, D)=\Pr[b' = 1|b = 1]-\Pr[b' = 1|b = 0] \] - **Strong Membership Inference Advantage**: \[ \text{Adv}_{\text{SMI}}(A, h, r, n, D)=\Pr[b' = 1|b = 1]-\Pr[b' = 1|b = 0] \] - **Attribute Inference Advantage**: \[ \text{Adv}_{\text{AI}}(A, h_X, m', n, D)=\Pr[\text{Exp}_{\text{AI}}(A, h_X, m', n, D)=1|b = 1]